Bugzilla – Bug 1249
unbound doesn't return FORMERR to bogus ECS
Last modified: 2017-05-30 15:26:56 CEST
tested on svn trunk 4097.
unbound doesn't seem to be compliant to the following part of RFC7871:
o A server receiving an ECS option that uses either too few or too
many ADDRESS octets, or that has non-zero ADDRESS bits set beyond
SOURCE PREFIX-LENGTH, SHOULD return FORMERR to reject the packet,
as a signal to the software developer making the request to fix
Instead unbound simply ignores the ECS and handles the query normally.
Same for an 'unknown' address family (neither IPv6 nor IPv4), which
could be considered to violate the sense of Section 7.2.1:
A query with a wrongly formatted option (e.g., an unknown FAMILY)
MUST be rejected and a FORMERR response MUST be returned to the
sender, as described in [RFC6891], "Transport Considerations".
(although this section is about authoritative server).
Unbound now returns FORMERR when the received query contains an ECS option that we are unable to parse.